简体繁体 English

使用IE8和MVC FileContentResult进行身份验证丢失

[英]Authentication loss with IE8 and MVC FileContentResult

原文 2011-08-01 00:49:01 3 1 asp.net-mvc/ cookies/ forms-authentication

ASP.NET MVC2 ASP.NET MVC2
.NET 3.5 .NET 3.5
FormsAuthentication FormsAuthentication
URL: domain.com/myapp 网址：domain.com/myapp
Problem area: Dynamically created PDFs returned as FileContentResult 问题区域：动态创建的PDF作为FileContentResult返回

Everything was working fine until IE8. 在IE8之前一切正常。 With IE8, when the user opens a PDF and then returns to the app, he has lost his authentication. 使用IE8，当用户打开PDF然后返回应用程序时，他已经失去了身份验证。 I added an expiry on the forms auth cookie and the problem appeared to be resolved. 我在表单auth cookie上添加了一个到期日，问题似乎得到了解决。 However, I later discovered that the same problem occurs in the parent app. 但是，我后来发现父应用程序中出现了同样的问题。 With the persistent cookie, when the user continues in my app (domain.com/myapp), everything is fine, but when he returns to the parent app (domain.com) window he has lost his authentication. 使用持久性cookie，当用户继续使用我的应用程序（domain.com/myapp）时，一切都很好，但当他返回到父应用程序（domain.com）窗口时，他已经失去了身份验证。 The parent app uses a proprietary authentication and authorization architecture that relies on session state. 父应用程序使用依赖于会话状态的专有身份验证和授权体系结构。

So my understanding of the problem is that the FileSystemResult does not carry any session information and thus the session is lost. 所以我对问题的理解是FileSystemResult不携带任何会话信息，因此会话丢失。 I understand that by adding an expiration to the cookie, the cookie is persisted and that enables the authorization to persist in my app, even when docs were opened. 我了解到，通过向Cookie添加过期，Cookie会保留，并且即使在打开文档时，也会允许授权在我的应用中保留。

~~I don't quite understand why adding an expiry to my cookie transferred the problem to the parent app.~~ ~~我不太明白为什么在我的cookie中添加一个到期时间将问题转移到父应用程序。~~ So, I was wrong, this has been happening all along in the parent. 所以，我错了，这一直发生在父母身上。 Interestingly, when I hooked up Fiddler to watch what was going on, the problem went away. 有趣的是，当我联系Fiddler观察正在发生的事情时，问题就消失了。

Do you have suggestions to resolve this? 你有解决这个问题的建议吗？ I can't think of anything other than something really ugly like writing the file to the server and returning a page with a link to open the file directly. 除了将文件写入服务器并返回带有直接打开文件的链接的页面之外，我无法想到任何其他内容。

Based on this question I think I am hosed. 基于这个问题，我想我已经被软管了。

1 个解决方案

There's some changes to the way IE8 handles persistance cookies which could be the route of your problems. IE8处理持久性cookie的方式有一些变化，这可能是你的问题的路径。 There's an interesting post here that describes a possible solution. 这里有一篇有趣的帖子描述了一个可能的解决方案。

The solution took us quite a while to find online believe it or not, and when we found it we wanted to kick ourselves for not finding it sooner. 解决方案花了我们很长时间才发现在线信不信由你，当我们找到它时，我们想要尽快找不到它。 It all stems from the domain attribute of the forms authentication settings within the web.config file of your application. 这一切都源于应用程序的web.config文件中的表单身份验证设置的域属性。 We typically left that attribute blank in our apps to make it easier to develop. 我们通常会在应用中将该属性留空，以便更容易开发。 Further, none of the other browsers above cared about that setting and functioned just fine. 此外，上述其他浏览器都没有关心该设置并且功能正常。 However, that changed in IE8 and now that attribute is required. 但是，这在IE8中发生了变化，现在该属性是必需的。